CN104468459B - A kind of leak detection method and device - Google Patents
A kind of leak detection method and device Download PDFInfo
- Publication number
- CN104468459B CN104468459B CN201310413831.7A CN201310413831A CN104468459B CN 104468459 B CN104468459 B CN 104468459B CN 201310413831 A CN201310413831 A CN 201310413831A CN 104468459 B CN104468459 B CN 104468459B
- Authority
- CN
- China
- Prior art keywords
- access request
- login account
- loophole
- site access
- target user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The present invention relates to a kind of leak detection methods, include the following steps:When receiving the site access request of client transmission, judge whether site access request comes from target user;If site access request comes from target user, after using site access request access target website, the response page of targeted sites return is obtained;Targeted sites are detected according to the response page and whether there is loophole, obtain testing result.The present invention also provides a kind of Hole Detection devices.Loophole existing for website can be found in time using the present invention.
Description
Technical field
The specific embodiment of the invention is related to technical field of network security, more particularly to a kind of leak detection method and device.
Background technology
In the network technology, loophole refers to the safety defect in network system.The presence of loophole enables attacker not
Network system is accessed or destroyed in the case of mandate.Web loopholes typically refer to the loophole on procedure site, and Web loopholes may be
Caused by written in code person is when writing code due to inconsiderate congruence.Common Web loopholes are for example including SQL
(Structured Query Language, structured query language)Injection loophole, XSS(Cross Site Scripting,
Cross-site scripting attack)Loophole, upload loophole etc..
Currently, the method for finding Web loopholes is mainly to be realized by the vulnerability scanning system for website.It should
Vulnerability scanning system collects web page address by means such as web crawlers(URL, Uniform Resource Locator, also known as
Uniform resource locator)List and the corresponding parameter of each web page address and type, then according to each webpage of loophole Feature Library
Address corresponds to the loophole attack test request of targeted sites, and whether the information responded further according to targeted sites judges the targeted sites
There are specific loopholes.
However, collecting the web page address and corresponding parameter and type that webpage is embedded in by web crawlers means, not only
Can there is a problem of that web page address covering is not complete, while can also capture a large amount of useless static resource links, cause system resource
Waste.In addition, loophole feature database is typically to be collected and formulated by the maintenance personnel of vulnerability scanning system, it is also possible to there is leakage
Hole feature covers infull problem.Therefore, the loophole attack test request gone out according to the loophole Feature Library possibly can not and
The emerging loopholes of Shi Faxian have that the response time is long to emerging loophole.
Invention content
In view of this, it is necessary to provide a kind of leak detection method and device, can in time find existing for website
Loophole, and reduce the waste of system resource.
A kind of leak detection method, includes the following steps:When receiving the site access request of client transmission, judge
Whether site access request comes from target user;If site access request comes from target user, visited using the website
After asking request access target website, the response page of targeted sites return is obtained;Targeted sites are detected according to the response page
With the presence or absence of loophole, testing result is obtained.
A kind of Hole Detection device, including:Judgment module, for when the site access request for receiving client transmission
When, judge whether site access request comes from target user;Acquisition module, if being used from target for site access request
Family obtains the response page of targeted sites return then after using site access request access target website;Detect mould
Block whether there is loophole for detecting targeted sites according to the response page, obtain testing result.
Compared to the prior art, leak detection method and device of the present invention, by the site access from target user
The monitoring of request, and the infomation detection targeted sites asked in response to the site access according to targeted sites are with the presence or absence of leakage
Hole can find loophole existing for website, and reduce the waste of system resource in time.
For the above and other objects, features and advantages of the present invention can be clearer and more comprehensible, preferred embodiment cited below particularly,
And coordinate institute's accompanying drawings, it is described in detail below.
Description of the drawings
Fig. 1 is a kind of structure diagram of server.
Fig. 2 is environment schematic when leak detection method provided in an embodiment of the present invention is applied.
Fig. 3 is the flow chart for the leak detection method that first embodiment of the invention provides.
Fig. 4 is the method flow diagram for establishing target user data library.
Fig. 5 be judge site access request whether the method flow diagram from target user.
Fig. 6 is the flow chart for the leak detection method that second embodiment of the invention provides.
Fig. 7 is the block diagram for the Hole Detection device that third embodiment of the invention provides.
Fig. 8 is the block diagram for the Hole Detection device that fourth embodiment of the invention provides.
Specific implementation mode
Further to illustrate that the present invention is the technological means and effect realized predetermined goal of the invention and taken, below in conjunction with
Specific implementation mode, structure, feature and its effect according to the present invention is described in detail as after in attached drawing and preferred embodiment.
Fig. 1 shows a kind of structure diagram of server.As shown in Figure 1, server 1 includes one or more(In figure only
Show one)Memory 11, processor 12, storage control 13, Peripheral Interface 14, communication module 15, input unit 16 and aobvious
Show unit 17.These components are mutually communicated by one or more communication bus/signal wire.
It will appreciated by the skilled person that structure shown in FIG. 1 is only to illustrate, not to the knot of server 1
It is configured to limit.For example, server 1 may also include than shown in Fig. 1 more either less components or with shown in Fig. 1
Different configurations.Hardware, software, or its combination realization may be used in each component shown in FIG. 1.
Memory 11 can be used for storing software program and module, such as the leak detection method and dress in the embodiment of the present invention
Corresponding program instruction/module is set, processor 12 is stored in software program and module in memory 11 by operation, to
Application and data processing are performed various functions, that is, realizes above-mentioned leak detection method.
Memory 11 may include high speed random access memory, may also include nonvolatile memory, such as one or more magnetic
Property storage device, flash memory or other non-volatile solid state memories.In some instances, memory 11 can further comprise
The memory remotely located relative to processor 12, these remotely located memories can pass through network connection to server 1.
The example of above-mentioned network includes but not limited to internet, intranet, LAN, mobile radio communication and combinations thereof.Processor
12 and other possible components the access of memory 11 can be carried out under the control of storage control 13.
Peripheral Interface 14 couples various input/output devices to processor 12 and memory 11.Processor 12 is run
The various functions of various softwares, instruction and execute server 1 in memory 11 and progress data processing.
Communication module 15 with communication network or other equipment for being communicated.Specifically, communication module 15 for example may be used
To be network interface card.Network interface card as in LAN connect computer and transmission medium interface, for realizing with local network transport medium
Between physical connection matched with electric signal, to establish LAN and be connected to internet(Internet), with various networks
As LAN, Metropolitan Area Network (MAN), wide area network are communicated.Network interface card may include the various existing circuit elements for executing above-mentioned function
Part, such as processor and memory(Including ROM and RAM)Deng.
Input unit 16 can be used for receiving the character information of input, and generate related with user setting and function control
Keyboard, mouse, operating lever, optics or trace ball signal input.Specifically, input unit 16 may include button 161 and
Touch-control surface 162.Button 161 for example may include the character keys for inputting character, and the control for triggering control function
Button processed.The example of control button includes " returning to main screen " button, on/off button, camera button etc..Touch-control surface 162
Collectable user is on it or neighbouring touch operation(For example user uses any suitable objects or attachment such as finger, stylus
Operation in touch-control surface 162 or near touch-control surface 162), and the corresponding connection of driving according to a pre-set procedure
Device.Optionally, touch-control surface 162 may include both touch detecting apparatus and touch controller.Wherein, touch detection fills
The touch orientation of detection user is set, and detects the signal that touch operation is brought, transmits a signal to touch controller;Touch control
Device receives touch information from touch detecting apparatus, and is converted into contact coordinate, then gives processor 12, and can receiving area
It manages the order that device 12 is sent and is executed.Furthermore, it is possible to more using resistance-type, condenser type, infrared ray and surface acoustic wave etc.
Type realizes touch-control surface 162.In addition to touch-control surface 162, input unit 16 can also include other input equipments.Above-mentioned
Other input equipments include but not limited to one or more in physical keyboard, trace ball, mouse, operating lever etc..
Display unit 17 is used to show information input by user, is supplied to user information and server 1 it is various
Graphic interface.These graphical user interface can be made of figure, text, icon, video and its arbitrary combination.In a reality
In example, display unit 17 includes a display panel 171.The display panel 171 may be, for example, a liquid crystal display panel
(Liquid Crystal Display, LCD), Organic Light Emitting Diode(Organic Light-Emitting Diode
Display, OLED)Display panel, electrophoretic display panel(Electro-Phoretic Display,EPD)Deng.Further,
Touch-control surface 162 may be disposed on display panel 171 to constitute an entirety with display panel 171.
As shown in fig.2, environment schematic when being applied for leak detection method provided in an embodiment of the present invention.In this reality
It applies in example, which is applied in above-mentioned server 1, which can pass through network 2 and an at least end
End, such as the progress network communication of terminal 3 in Fig. 2.Wherein, which may include one or more server, certainly should
Server 1 can also be virtual cloud computing module.The specific example of the terminal 3 includes but is not limited to desktop computer, just
Take formula computer, smart mobile phone, tablet computer, personal digital assistant or other similar arithmetic units.The network 2 can be
Arbitrary internetwork connection mode, such as internet(Internet), mobile Internet(2G, 3G net provided such as telecom operators
Network), LAN(It is wired or wireless)Deng.
First embodiment
As shown in fig.3, first embodiment of the invention provides a kind of leak detection method, the leak detection method include with
Lower step:
Step S1 judges whether site access request comes from when receiving the site access request of client transmission
Target user;
Step S2 is using site access request access target station if site access request comes from target user
After point, the response page of targeted sites return is obtained;
Step S3 detects targeted sites according to the response page and whether there is loophole, obtains testing result.
According to above-mentioned leak detection method, by the monitoring to the site access request from target user, and according to
The infomation detection targeted sites that targeted sites are asked in response to the site access whether there is loophole, can find network in time
Loophole existing for website, and reduce the waste of system resource.
In some instances, the realization details of each step of the above method is as follows:
The client of client website visiting tool such as can be browser described in step S1.The website visiting work
Tool is erected in server 1, and the client of the website visiting tool is then installed and run in the terminal 3.User
The website, such as social network sites, shopping website etc. in internet can be accessed by the client.
In the present embodiment, user using the client before accessing each website, it is also necessary to first pass through effective
Login account logs in the website visiting tool.Specifically, the process for logging in the website visiting tool includes:User visits to website
Ask that the client input login account of tool, the login account can be the user name applied in advance and password;The client will
The login account send to server 1 and verifies its validity;When server 1 verify the login account it is effective when, user successfully logs in
The website visiting tool, so as to, to targeted sites transmitting station access request, access corresponding target by the client
Website.
The site access request will be sent out according to the operation of user on the client.For example, when user is in the client
When inputting web page address in the address input field at end, the site access request that inputted web page address corresponds to targeted sites is sent out.
Further for example, when the user clicks the web page interlinkage of the insertion in a certain webpage or in document when, send out the web page interlinkage and correspond to target
The site access of website is asked.Current login account for example including the client in site access request, targeted sites
The information such as the corresponding parameter of web page address of web page address, the targeted sites.The corresponding parameter is for example including current search
Keyword, Source Site, browser type, targeted sites label etc..
In addition, in the present embodiment, also needing to first establish a target user data library before executing the step S1.The mesh
Mark customer data base can be stored in the memory 11 of server 1.Record has each target in the target user data library
The login account of user.The target user refer to due to profession is good at or hobby etc., may be to website
It throws doubt upon with the presence or absence of loophole, to send out the user that loophole attack test is asked to corresponding website.Therefore, target
The loophole attack test request being likely to be to targeted sites is compared in the site access request that user sends out.And by target
The site access request that user sends out is monitored, and also more has an opportunity to find loophole existing for targeted sites.
Specifically, as shown in fig.4, the method for establishing target user data library may comprise steps of:
Step S41 collects the corresponding interesting data of each login account registered.The interesting data can be used for reflect with
Interest tendency when the associated customer access network of corresponding login account.For example, tending to check when some customer access networks
Topical news, some tend to browse shopping website, and the website in terms of some then tend to browse network safe practice.
Shown in Fig. 4, the step S41 can specifically include following steps:
Step S411, the network for monitoring each login account registered access behavior.The network access behavior for example including
The corresponding webpage of institute's input address is accessed, another webpage is searched on a webpage, delivers picture or word etc. on webpage
The behaviors such as the document content in content, browsing webpage.The network, which accesses behavior, to be embodied by keyword, such as the pass
Term that keyword inputs when can be the content title and keyword, search and webpage of the accessed webpage of each login account, in net
The keyword making comments or leave a message on page, the title published an article on webpage and label etc..
After a login account logs in the website visiting tool and accesses corresponding web page, step S411 steps on this
The corresponding network of record account is accessed behavior and is recorded in a manner of above-mentioned keyword, such as is recorded in the memory 11,
For the corresponding interesting data of subsequent analysis login account.In the present embodiment, it can specify that the primary net to a login account
Network accesses behavior and only extracts specified number, such as two keywords to characterize secondary network access behavior, each time to specification
Network accesses the corresponding keyword number of behavior, avoids, because the corresponding keyword quantity of certain networks access behavior is excessive, making
At subsequently inaccurate to the analysis of the interesting data.For example, when the login account has accessed one at a time about bug excavation
Webpage, then can be extracted from the webpage " bug excavation " and " network security " two keywords indicate the login account should
Secondary network accesses behavior.
Step S412 accesses behavioural analysis according to the network and goes out the corresponding interesting data of each login account.In an example
In, behavior can be accessed to the network of each login account and counted, i.e., behavior be accessed to the corresponding network of each login account
Keyword is counted, and calculates the corresponding each keyword of each login account institute in the corresponding all keywords of the login account
The ratio accounted for.It is appreciated that when the corresponding keyword of a login account is in the corresponding all keywords of the login account
In shared ratio it is higher, then illustrate that the corresponding network of the keyword accesses that behavior is more frequent, and the corresponding network of the keyword is visited
It asks that behavior reflects to a certain extent to be inclined to the interest of the associated user of the login account.
Therefore, if the corresponding keyword of some login account is shared in the corresponding all keywords of the login account
Ratio reach a predetermined threshold value, such as 50%, it is determined that the keyword be the login account correspond to one of interesting data.One
It may include one or more keywords that a login account, which corresponds to interesting data,.Such as the corresponding interesting data packet of the login account
It includes " current events ", " bug excavation " and " network security " etc..
Significantly, since in practical applications, a user as natural person can apply for one or more
Login account is for logging in the website visiting tool and accessing website, for belonging to the login account of the same user,
The corresponding interesting data of each login account ought to be consistent.However, passing through the login with same user-association collected by step S41
The corresponding interesting data of account may be not consistent.
Therefore, after executing step S41, interesting data corresponding with the login account of same user-association can also be united
One.Specifically, can first according to the login time of each login account, log in IP address, log in the information such as place, identify with
The login account of same user-association.Then a pair interesting data corresponding with the login account of same user-association takes union, and
Using the union as interesting data corresponding with each login account of the same user-association.
Step S42, judges whether the corresponding interesting data of each login account is consistent with specified interest one by one, if so, will
The login account is recorded in the target user data library.In the present embodiment, since the target user refers to that relatively have can
It can throw doubt upon with the presence or absence of loophole to website, to send out the user of loophole test request to corresponding website.
Therefore, the specified interest is such as including interest website invasion or bug excavation.The specified interest can also be by several passes
Keyword forms, such as the specified interest includes the keys such as " website invasion ", " bug excavation ", " Web loopholes ", " invasion "
Word.In the present embodiment, as long as some or all of corresponding interesting data of a login account specifies interest to be consistent with this, then sentence
The disconnected login account is associated with target user, and the login account is recorded in the target user data library.
In conclusion as shown in fig.5, the step S1 judges whether site access request comes from the target user
Method may comprise steps of:
Step S51 obtains the current login account of the client from site access request.Specifically, step S51 can
To use DPI(Deep Packet Inspection, deep-packet detection)Technology analyzes site access request, thus from the station
The current login account of the client is obtained in point access request.
Step S52 judges that the current login account whether there is in the target user data library, if so, judging should
Site access request comes from the target user.If it is not, then judging that site access request is not from the target user.
In step S2, if site access request comes from target user, site access request may be target
One loophole test request for being directed to the targeted sites of user's construction.Therefore, it directly can ask to come using the site access
Access target website, and obtain the response page of targeted sites return.The targeted sites return response page simultaneously also by
It is transmitted to client, user is transferred to handle.
Targeted sites are detected according to the response page in step S3 and whether there is loophole, it in the present embodiment, can should
Response page is compared with the normal page set by the targeted sites.If the response page is consistent with the normal page,
Judge that loophole is not present in the targeted sites.If the response page and the normal page are inconsistent, judge that the targeted sites exist
Loophole.The normal page of the targeted sites is that the normal access request asked for non-loophole attack test responds.The target
The normal page of website can first pass through the normal access request and be obtained from targeted sites, and be pre-stored in the memory
In 11.The testing result includes that the targeted sites whether there is loophole.If the testing result indicates that the targeted sites exist
Loophole, then step S3 can also be sent a warning message to the targeted sites, to alert safeguard the targeted sites responsible person should
There are loopholes for targeted sites, and some information, such as loophole type etc. for providing the loophole.
In conclusion in leak detection method provided in this embodiment, due to target user be may be to network
Website throws doubt upon with the presence or absence of loophole, to send out the user of loophole test request to corresponding website.Pass through foundation
And safeguard the target user data library for the login account for including each target user, and the site access from target user is asked
It is monitored, if the loophole attack test for the targeted sites that site access request is target user's construction is asked,
Loophole existing for the targeted sites can be found in time, shorten the response time to newly starting a leak, while reducing system resource
Waste.
Second embodiment
The leak detection method provided according to first embodiment can find loophole existing for the targeted sites in time, contracting
The short response time to newly starting a leak.And several pending leakages are preserved in the web page address library of existing vulnerability scanning system
The web page address of hole test.The web page address of these pending loophole tests is typically to be collected by modes such as web crawlers,
Therefore can there is a problem of that web page address covering is not complete.In addition, there is also loophole spies for the loophole feature database of the vulnerability scanning system
Sign covers infull problem.
In order to further solve the above problems, second embodiment of the invention provides a kind of leak detection method, can be
The effect in the web page address library and loophole feature database of improving vulnerability scanning system is further functioned as on the basis of first embodiment.Ginseng
It reads shown in Fig. 6, second embodiment of the invention provides a kind of leak detection method, compared to the Hole Detection side of first embodiment
Method judges that site access request after target user, still further comprises in the step S2:
Step S21 analyzes site access request, and the web page address of targeted sites is extracted from site access request.
Likewise, step S21 can also analyze site access request using the DPI technologies, to from site access request
Extract the web page address of the targeted sites.
Step S22 judges that the web page address of the targeted sites whether there is in the web page address library of vulnerability scanning system,
If it is not, then the web page address of the targeted sites is stored in the web page address library.The web page address library is for making the vulnerability scanning
The loophole attack test that system construction corresponds to each web page address in web page address library website is asked.If in the web page address library
Web page address covering it is incomplete, then vulnerability scanning system possibly unlapped web page address can not be corresponded to website with the presence or absence of leak
Hole is tested.Therefore, if site access request comes from target user, and the web page address of the targeted sites is not present in
In the web page address library, then the web page address is stored in the web page address library by step S22, to improve the web page address library.
In addition, after the step S3 obtains the testing result, still further comprise:
Step S23, if the testing result indicates the targeted sites, there are loopholes, extract the leakage of the loophole of targeted sites
Hole feature, and according in the loophole feature database for the loophole feature update vulnerability scanning system extracted.In general, the vulnerability scanning system
System is asked according to the corresponding loophole attack test of leaky latent structure in the loophole feature database.Therefore, if the loophole is special
Sign library does not cover certain loophole feature, then vulnerability scanning system will be unable to the loophole latent structure loophole not covered according to this
Attack test is asked, to detect the corresponding loophole of loophole feature not covered present in website.Step S23
After extracting the loophole feature, can first judge in the loophole feature database whether to have included extracted loophole feature.
If including not yet extracted loophole feature in the loophole feature database, the loophole feature extracted is added to loophole feature database
In, to improve the loophole feature database.
In conclusion the leak detection method of the present embodiment, vulnerability scanning is not present in the web page address of targeted sites
In the case of the web page address library of system, which is stored in the web page address library, and exist in the targeted sites and leak
In the case of hole, the loophole feature database of vulnerability scanning system is updated according to the loophole feature of the loophole, can improve the net in time
Page address library and loophole feature database improve the ability that the vulnerability scanning system finds loophole.
3rd embodiment
As shown in fig.7, third embodiment of the invention provides a kind of Hole Detection device 100 comprising establish module
101, judgment module 102, acquisition module 103 and detection module 104.It is appreciated that above-mentioned each module refers to computer program
Or program segment, for executing certain one or more specific function.In addition, the differentiation of above-mentioned each module do not represent it is actual
Program code also must be separated.
Module 101 is established, for establishing a target user data library, record has each target to use in the target user data library
The login account at family.
Specifically, the corresponding interesting data of each login account registered can first be collected by establishing module 101.In this reality
It applies in example, behavior can be accessed by monitoring the network for each login account registered by establishing module 101, then according to the network
It accesses behavioural analysis and goes out the corresponding interesting data of each login account.Simultaneously as a user as natural person can apply
One or more login accounts, for belonging to the login account of the same user, the corresponding interesting data reason of each login account
It should be consistent.It is preferred that it is also unified by interesting data corresponding with the login account of same user-association to establish module 101.
Then, it establishes module 101 and judges whether the corresponding interesting data of each login account is consistent with specified interest one by one, if
It is that then the login account is recorded in the target user data library.The specified interest includes that website invasion or loophole are dug
Pick.
Judgment module 102, for when receiving the site access request of client transmission, judging that the site access is asked
Whether target user is come from.Specifically, judgment module 102 can obtain the current of the client from site access request
Then login account judges that the current login account whether there is in the target user data library.If the current login account
It is present in the target user data library, then judgment module 102 judges that site access request comes from target user.
Acquisition module 103 is visited if coming from target user for site access request using site access request
After asking targeted sites, the response page of targeted sites return is obtained.
Detection module 104 whether there is loophole for detecting targeted sites according to the response page, obtain testing result.
In the present embodiment, the response page and the normal page set by the targeted sites can be compared.If the response page
Face is consistent with the normal page, then judges that loophole is not present in the targeted sites.If the response page and the normal page are inconsistent,
Then judge that there are loopholes for the targeted sites.The testing result includes that the targeted sites whether there is loophole.If the detection knot
Fruit indicates the targeted sites there are loophole, then the detection module 104 can also be sent a warning message to the targeted sites, to
The responsible person of the targeted sites targeted sites are safeguarded in warning, and there are loopholes.
For the specific work process of above each module, the loophole that can be provided with further reference to first embodiment of the invention is examined
Survey method, is not repeated herein.
In conclusion during the realization of Hole Detection device 100 provided in this embodiment, due to target user be compared with
It is possible that throwing doubt upon with the presence or absence of loophole to website, to send out the use of loophole test request to corresponding website
Family.By establishing and safeguarding the target user data library of the login account including each target user, and to from target user's
Site access request is monitored, if the loophole for the targeted sites that site access request is target user's construction is attacked
Test request can then find loophole existing for the targeted sites in time, shorten the response time to newly starting a leak, subtract simultaneously
The waste of few system resource.
Fourth embodiment
As shown in fig.8, fourth embodiment of the invention provides a kind of Hole Detection device 200, compared to the present invention the
The Hole Detection device 100 that three embodiments provide, further comprises:
First update module 201, for judging that site access request comes from target user in the judgment module 102
Afterwards, site access request is analyzed, the web page address of targeted sites is extracted from site access request.The first update mould
Block 201 can analyze site access request using DPI technologies, to extract the targeted sites from site access request
Web page address.
First update module 201 is additionally operable to judge that the web page address of the targeted sites whether there is in vulnerability scanning
In the web page address library of system, if it is not, then the web page address of the targeted sites is stored in the web page address library.
In addition, the Hole Detection device 200 still further comprises:
Second update module 202, for after the detection module 104 obtains the testing result, if the testing result
Indicating the targeted sites, there are loopholes, then extract the loophole feature of the loophole of targeted sites, and special according to the loophole extracted
In the loophole feature database of sign update vulnerability scanning system.
For the specific work process of above each module, the loophole that can be provided with further reference to second embodiment of the invention is examined
Survey method, is not repeated herein.
In conclusion the Hole Detection device 200 of the present embodiment, is not present in loophole in the web page address of targeted sites and sweeps
In the case of the web page address library for retouching system, which is stored in the web page address library, and exist in the targeted sites
In the case of loophole, the loophole feature database of vulnerability scanning system is updated according to the loophole feature of the loophole, can improve in time should
Web page address library and loophole feature database improve the ability that the vulnerability scanning system finds loophole.
In addition, the embodiment of the present invention also provides a kind of computer readable storage medium, it is executable to be stored with computer
Instruction, above-mentioned computer readable storage medium is, for example, nonvolatile memory such as CD, hard disk or flash memory.It is above-mentioned
Computer executable instructions for allow computer or similar arithmetic unit to complete each in above-mentioned leak detection method
Kind operation.
The above described is only a preferred embodiment of the present invention, be not intended to limit the present invention in any form, though
So the present invention has been disclosed with preferred embodiment as above, and however, it is not intended to limit the invention, any those skilled in the art, not
It is detached within the scope of technical solution of the present invention, when the technology contents using the disclosure above make a little change or are modified to equivalent change
The equivalent embodiment of change, as long as being without departing from technical solution of the present invention content, according to the technical essence of the invention to implementing above
Any brief introduction modification, equivalent variations and modification made by example, in the range of still falling within technical solution of the present invention.
Claims (16)
1. a kind of leak detection method, which is characterized in that this approach includes the following steps:
Target user data library is established, record has the login account of each target user in the target user data library, wherein described
The step of establishing target user data library includes collecting the corresponding interesting data of each login account registered, and judge one by one each
Whether the corresponding interesting data of login account is consistent with specified interest, is used if so, the login account is recorded in the target
In user data library;
When receiving the site access request of client transmission, judge whether site access request comes from target user,
In, it is described to judge whether site access request includes obtaining the visitor from site access request from the step of target user
The current login account at family end, and judge that the current login account whether there is in the target user data library, if so, sentencing
Site access request of breaking comes from target user;
If site access request comes from target user, after using site access request access target website, obtaining should
The response page that targeted sites return;
Targeted sites are detected according to the response page and whether there is loophole, obtain testing result.
2. leak detection method as described in claim 1, which is characterized in that each login account registered of collecting corresponds to
Interesting data the step of include:
The network for monitoring each login account registered accesses behavior;
Behavioural analysis, which is accessed, according to the network goes out the corresponding interesting data of each login account.
3. leak detection method as claimed in claim 2, which is characterized in that each login account registered of collecting corresponds to
Interesting data the step of further include:
Interesting data corresponding with the login account of same user-association is unified.
4. leak detection method as described in claim 1, which is characterized in that the specified interest includes website invasion or loophole
It excavates.
5. leak detection method as described in claim 1, which is characterized in that judging site access request from target use
After the step of family, further include:
Site access request is analyzed, the web page address of targeted sites is extracted from site access request;
Judge that the web page address whether there is in the web page address library of vulnerability scanning system, if it is not, then depositing the web page address
Enter in the web page address library.
6. leak detection method as claimed in claim 5, which is characterized in that analyze the website using deep packet inspection technical and visit
Ask request.
7. leak detection method as described in claim 1, which is characterized in that after described the step of obtaining testing result, also wrap
It includes:
If the testing result indicates the targeted sites there are loophole, extract the loophole feature of the loophole, and according to being extracted
Loophole feature updates in the loophole feature database of vulnerability scanning system.
8. leak detection method as described in claim 1, which is characterized in that after described the step of obtaining testing result, also wrap
It includes:
If the testing result indicates the targeted sites, there are loopholes, are sent a warning message to the targeted sites.
9. a kind of Hole Detection device, which is characterized in that the device includes:
Module is established, for establishing target user data library, record has the login of each target user in the target user data library
Account, wherein the corresponding interesting data of each login account established module collection and registered, and each login account is judged one by one
Whether number corresponding interesting data is consistent with specified interest, if so, the login account is recorded in the target user data
In library;
Judgment module, for when receiving the site access request of client transmission, judging whether site access request comes
From target user, wherein the judgment module obtains the current login account of the client from site access request, and sentences
The disconnected current login account whether there is in the target user data library, if so, judging that site access request comes from mesh
Mark user;
Acquisition module is asking access target if coming from target user for site access request using the site access
After website, the response page of targeted sites return is obtained;
Detection module whether there is loophole for detecting targeted sites according to the response page, obtain testing result.
10. Hole Detection device as claimed in claim 9, which is characterized in that described to collect each login account pair registered
The interesting data answered includes:
The network for monitoring each login account registered accesses behavior;
Behavioural analysis, which is accessed, according to the network goes out the corresponding interesting data of each login account.
11. Hole Detection device as claimed in claim 10, which is characterized in that described to collect each login account pair registered
The interesting data answered further includes:
Interesting data corresponding with the login account of same user-association is unified.
12. Hole Detection device as claimed in claim 9, which is characterized in that the specified interest includes website invasion or leakage
It excavates in hole.
13. Hole Detection device as claimed in claim 9, which is characterized in that further include:
First update module, for judging that site access request after target user, analyzes the station in the judgment module
Point access request extracts the web page address of targeted sites from site access request;
First update module is additionally operable to judge that the web page address whether there is in the web page address library of vulnerability scanning system
In, if it is not, then the web page address is stored in the web page address library.
14. Hole Detection device as claimed in claim 13, which is characterized in that first update module is examined using deep packet
Survey technology analyzes site access request.
15. Hole Detection device as claimed in claim 9, which is characterized in that further include:
Second update module, for after the detection module obtains testing result, if the testing result indicates the targeted sites
There are loopholes, then extract the loophole feature of the loophole, and the loophole of vulnerability scanning system is updated according to the loophole feature extracted
In feature database.
16. Hole Detection device as claimed in claim 9, which is characterized in that the detection module after obtaining testing result,
It is additionally operable to:
If the testing result indicates the targeted sites, there are loopholes, are sent a warning message to the targeted sites.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310413831.7A CN104468459B (en) | 2013-09-12 | 2013-09-12 | A kind of leak detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310413831.7A CN104468459B (en) | 2013-09-12 | 2013-09-12 | A kind of leak detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104468459A CN104468459A (en) | 2015-03-25 |
| CN104468459B true CN104468459B (en) | 2018-10-02 |
Family
ID=52913847
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310413831.7A Active CN104468459B (en) | 2013-09-12 | 2013-09-12 | A kind of leak detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104468459B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105404207B (en) * | 2015-12-14 | 2019-09-06 | 中国电子信息产业集团有限公司第六研究所 | A kind of industrial environment bug excavation apparatus and method for |
| CN105827664B (en) * | 2016-06-06 | 2019-01-29 | 江苏通付盾科技有限公司 | Leak detection method and device |
| CN108667770B (en) * | 2017-03-29 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Website vulnerability testing method, server and system |
| CN107749835B (en) * | 2017-09-11 | 2020-11-20 | 哈尔滨工程大学 | Penetration test method for click hijack attack based on prediction |
| CN110572417B (en) * | 2019-10-22 | 2021-11-09 | 腾讯科技(深圳)有限公司 | Method, apparatus, server and storage medium for providing login ticket |
| CN111949992B (en) * | 2020-08-17 | 2023-09-29 | 中国工商银行股份有限公司 | Automatic safety monitoring method and system for WEB application program |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902456A (en) * | 2010-02-09 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Safety defense system of Website |
| CN102185859A (en) * | 2011-05-09 | 2011-09-14 | 北京艾普优计算机系统有限公司 | Computer system and data interaction method |
| CN102457500A (en) * | 2010-10-22 | 2012-05-16 | 北京神州绿盟信息安全科技股份有限公司 | Website scanning equipment and method |
| CN103106285A (en) * | 2013-03-04 | 2013-05-15 | 中国信息安全测评中心 | Recommendation algorithm based on information security professional social network platform |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5215779B2 (en) * | 2008-09-01 | 2013-06-19 | キヤノン株式会社 | Information processing apparatus and information processing method |
-
2013
- 2013-09-12 CN CN201310413831.7A patent/CN104468459B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902456A (en) * | 2010-02-09 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Safety defense system of Website |
| CN102457500A (en) * | 2010-10-22 | 2012-05-16 | 北京神州绿盟信息安全科技股份有限公司 | Website scanning equipment and method |
| CN102185859A (en) * | 2011-05-09 | 2011-09-14 | 北京艾普优计算机系统有限公司 | Computer system and data interaction method |
| CN103106285A (en) * | 2013-03-04 | 2013-05-15 | 中国信息安全测评中心 | Recommendation algorithm based on information security professional social network platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104468459A (en) | 2015-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104468459B (en) | A kind of leak detection method and device | |
| CN106503134B (en) | Browser jumps to the method for data synchronization and device of application program | |
| CN105184159B (en) | The recognition methods of webpage tamper and device | |
| CN102104601B (en) | Web vulnerability scanning method and device based on infiltration technology | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| EP2790121A1 (en) | Client Based Local Malware Detection Method | |
| EP3561708A1 (en) | Method and device for classifying uniform resource locators based on content in corresponding websites | |
| CN101490685A (en) | A method for increasing the security level of a user machine browsing web pages | |
| CN106101145A (en) | A kind of website vulnerability detection method and device | |
| CN107566200B (en) | Monitoring method, device and system | |
| CN102739653B (en) | Detection method and device aiming at webpage address | |
| CN104486140A (en) | Device and method for detecting hijacking of web page | |
| CN113342639B (en) | Applet security risk assessment method and electronic device | |
| CN104182478A (en) | Website monitoring pre-warning method | |
| CN103618696B (en) | Method and server for processing cookie information | |
| KR100912794B1 (en) | Web hacking management system and manegement method thereof for real time web server hacking analysis and homepage hacking search | |
| CN103647678A (en) | Method and device for online verification of website vulnerabilities | |
| CN104956372A (en) | Determining coverage of dynamic security scans using runtime and static code analyses | |
| CN102833212A (en) | Webpage visitor identity identification method and system | |
| CN104954340B (en) | A kind of detection method and device of agent IP address | |
| CN105488400A (en) | Comprehensive detection method and system of malicious webpage | |
| CN107392028A (en) | The detection method and its detection means of sensitive information, storage medium, electronic equipment | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| CN111079138A (en) | Abnormal access detection method and device, electronic equipment and readable storage medium | |
| CN107800686A (en) | A kind of fishing website recognition methods and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |